Is there a public PoC exploit available for CVE-2026-7221?

Yes, a public proof-of-concept exploit is available for CVE-2026-7221. Prioritise patching immediately. EPSS: 0.0%.

Is there a patch available for CVE-2026-7221?

Yes, a patch is available for CVE-2026-7221. Update the affected software to the latest version immediately.

TencentCloudBase CloudBase-MCP CVE-2026-7221

Q: What is the CVSS score of CVE-2026-7221?

CVE-2026-7221 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-25978 MEDIUM

Server-Side Request Forgery (SSRF) (CWE-918)

2026-04-28 VulDB

SSRF

5.5

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

CVSS changed

Apr 29, 2026 - 01:12 NVD

6.9 (MEDIUM) 5.5 (MEDIUM)

PoC Detected

Apr 29, 2026 - 01:00 vuln.today

Public exploit code

Analysis Generated

Apr 28, 2026 - 04:30 vuln.today

Severity Changed

Apr 28, 2026 - 04:22 NVD

HIGH MEDIUM

CVSS changed

Apr 28, 2026 - 04:22 NVD

7.3 (HIGH) 6.9 (MEDIUM)

EUVD ID Assigned

Apr 28, 2026 - 04:15 euvd

EUVD-2026-25978

Analysis Generated

Apr 28, 2026 - 04:15 vuln.today

Patch released

Apr 28, 2026 - 04:15 nvd

Patch available

CVE Published

Apr 28, 2026 - 03:30 nvd

MEDIUM 5.5

DescriptionNVD

A vulnerability was found in TencentCloudBase CloudBase-MCP up to 2.17.0. Affected is the function openUrl of the file mcp/src/interactive-server.ts of the component open-url API Endpoint. The manipulation of the argument req.body.url results in server-side request forgery. It is possible to launch the attack remotely. The exploit has been made public and could be used. Upgrading to version 2.17.1 is able to address this issue. The patch is identified as 3f678a1e7bd400cd76469d61024097d4920dc6b5. It is recommended to upgrade the affected component.

AnalysisAI

Server-side request forgery (SSRF) in TencentCloudBase CloudBase-MCP through version 2.17.0 allows remote unauthenticated attackers to manipulate the open-url API endpoint by injecting arbitrary URLs via the req.body.url parameter, enabling attackers to make unauthorized requests from the server to internal or external resources. The vulnerability has publicly available exploit code and affects the openUrl function in mcp/src/interactive-server.ts. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-7221 vulnerability details – vuln.today

Back

TencentCloudBase CloudBase-MCP CVE-2026-7221

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Analysis

Full analysis requires sign-in

Share

TencentCloudBase CloudBase-MCP CVE-2026-7221

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Full analysis requires sign-in

Share

External POC / Exploit Code